Back to skill

Security audit

Website Capture - AllScreenshots

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward cloud screenshot skill, but users should treat target URLs and generated screenshots as shared with Allscreenshots.

Install only if you are comfortable sending Allscreenshots your API key, target URLs, rendering requests, and generated screenshots. Avoid confidential, internal, authenticated, or unauthorized pages unless your organization permits that third-party processing and storage.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (7)

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill clearly routes user-supplied target URLs and screenshot content to a third-party cloud API, and the documentation does not warn users that browsing targets, page contents, and possibly authenticated page views may be transmitted off-platform and potentially stored externally. In this context, the omission is security-relevant because users may unintentionally send sensitive internal URLs or confidential web content to an external service.

Missing User Warnings

Low
Confidence
78% confidence
Finding
The documentation instructs users to place an API key in an environment file but does not include guidance on protecting that credential from disclosure, logging, or accidental check-in. While this is common setup guidance, the lack of basic secret-handling precautions can lead to credential leakage and unauthorized use of the third-party account.

External Transmission

Medium
Category
Data Exfiltration
Content
### Desktop screenshot (default)

```bash
curl -s -X POST \
  -H "Authorization: Bearer $ALLSCREENSHOTS_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"url":"TARGET_URL","fullPage":true,"viewport":{"width":1280,"height":800},"blockAds":true,"blockCookieBanners":true,"stealth":true,"responseType":"url"}' \
Confidence
90% confidence
Finding
curl -s -X POST \ -H "Authorization: Bearer $ALLSCREENSHOTS_API_KEY" \ -H "Content-Type: application/json" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
### Mobile screenshot

```bash
curl -s -X POST \
  -H "Authorization: Bearer $ALLSCREENSHOTS_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"url":"TARGET_URL","fullPage":true,"viewport":{"width":375,"height":812},"deviceScaleFactor":3,"blockAds":true,"blockCookieBanners":true,"stealth":true,"responseType":"url"}' \
Confidence
90% confidence
Finding
curl -s -X POST \ -H "Authorization: Bearer $ALLSCREENSHOTS_API_KEY" \ -H "Content-Type: application/json" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
## API Base

Endpoint: `https://api.allscreenshots.com/v1/screenshots`
Auth header: `Bearer $ALLSCREENSHOTS_API_KEY`

## Operations
Confidence
86% confidence
Finding
https://api.allscreenshots.com/

External Transmission

Medium
Category
Data Exfiltration
Content
-H "Authorization: Bearer $ALLSCREENSHOTS_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"url":"TARGET_URL","fullPage":true,"viewport":{"width":1280,"height":800},"blockAds":true,"blockCookieBanners":true,"stealth":true,"responseType":"url"}' \
  "https://api.allscreenshots.com/v1/screenshots" | jq
```

### Mobile screenshot
Confidence
90% confidence
Finding
https://api.allscreenshots.com/

External Transmission

Medium
Category
Data Exfiltration
Content
-H "Authorization: Bearer $ALLSCREENSHOTS_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"url":"TARGET_URL","fullPage":true,"viewport":{"width":375,"height":812},"deviceScaleFactor":3,"blockAds":true,"blockCookieBanners":true,"stealth":true,"responseType":"url"}' \
  "https://api.allscreenshots.com/v1/screenshots" | jq
```

### Dark mode
Confidence
90% confidence
Finding
https://api.allscreenshots.com/

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.